Re: [PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jay Soffian <jaysoffian@xxxxxxxxx> writes:

> When gitweb is used as a DirectoryIndex, it attempts to strip
> PATH_INFO on its own, as $cgi->url() fails to do so.
>
> However, it fails to account for the fact that PATH_INFO has
> already been URL-decoded by the web server, but the value
> returned by $cgi->url() has not been. This causes the stripping
> to fail whenever the URL contains encoded characters.
>
> To see this in action, setup gitweb as a DirectoryIndex and
> then use it on a repository with a directory containing a
> space in the name. Navigate to tree view, examine the gitweb
> generated html and you'll see a link such as:
>
>   <a href="/test.git/tree/HEAD:/directory with spaces">directory with spaces</a>
>
> When clicked on, the browser will URL-encode this link, giving
> a $cgi->url() of the form:
>
>    /test.git/tree/HEAD:/directory%20with%20spaces
>
> While PATH_INFO is:
>
>    /test.git/tree/HEAD:/directory with spaces
>
> Fix this by calling unescape() on both $my_url and $my_uri before
> stripping PATH_INFO from them.
>
> Signed-off-by: Jay Soffian <jaysoffian@xxxxxxxxx>
> ---

Thanks.  From a cursory look, with the help from the explanation in
the proposed commit log message, the change looks sensible.

I wonder if a breakage like this is something we can catch in one of
the t95xx series of tests, though.

Jakub, Ack?

>  gitweb/gitweb.perl | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 3d6a705388..7f8c1878d4 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -54,6 +54,11 @@ sub evaluate_uri {
>  	# to build the base URL ourselves:
>  	our $path_info = decode_utf8($ENV{"PATH_INFO"});
>  	if ($path_info) {
> +		# $path_info has already been URL-decoded by the web server, but
> +		# $my_url and $my_uri have not. URL-decode them so we can properly
> +		# strip $path_info.
> +		$my_url = unescape($my_url);
> +		$my_uri = unescape($my_uri);
>  		if ($my_url =~ s,\Q$path_info\E$,, &&
>  		    $my_uri =~ s,\Q$path_info\E$,, &&
>  		    defined $ENV{'SCRIPT_NAME'}) {
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]